[cisco-nas] FW: Problems with creating Virtual-Access interfaces

Andris Zarins andris.zarins at microlink.lv
Tue Aug 31 06:25:32 EDT 2004 

Hi,

I've got a task to implement a dial-in access to VRF on Cisco router
(3640). Scheme is almost trivial - client (Cisco router, for example
2500 series) dials-in using ISDN to Cisco NAS 3640 (12.3(8) T3 - TELCO).
Then RADIUS authentication and authorization is performed, and there
should be created virtual-access interface dynamically with
configuration received from RADIUS server. Everything seems OK - user
dials-in, authenticates himself, RADIUS sends Vaccess i-faces
configuration (tried debugging - OK) , but no Virtual-Access interfaces
are created. Instead of this ISDN channels get bind to DialerProfile and
there is no per-user configuration. I tried to downgrade IOS code to
12.0 - using this version and exactly the same NAS configuration,
VAccess interfaces are created, but there are problems with RADIUS - AAA
messages are denied by error "decrypt failed" (I believe this is another
story, not connected this this VAccess issue).

Question is - why there are no Virtual-Access interfaces using IOS 12.3?
Am I missing some required configuration? In 12.0 there is a command
"virtual-profile aaa", but it is deprecated since 12.2, and it should
work without it. 

Here is RADIUS profile:

Profile="test"

        cisco-avpair = "lcp:interface-config=ip vrf forwarding test"

        cisco-avpair = "lcp:interface-config=ip unnumbered loopback 1"

        cisco-avpair = "lcp:interface-config=encapsulation ppp"

        Framed-Address=10.10.8.2

        Framed-Netmask=255.255.255.240

        Framed-Protocol = PPP

        Framed-Routing = None

        Service-Type = Framed-User

Here is config of 3640 Cisco NAS (there is also a analogue dial-in using
MICA modem pool, but I believe this has nothing to do with VAccess
issue):

 

Version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime

service timestamps log datetime

hostname man-gw

!

boot-start-marker

boot-end-marker

!

logging buffered 100000 debugging

!

username andris password 0 cisco

memory-size iomem 15

aaa new-model

!

!

aaa group server radius radiuz

 server x.x.x.x auth-port xxx acct-port xxx

!

aaa authentication login default line

aaa authentication login modem local

aaa authentication login telnet line

aaa authentication login no-auth none

aaa authentication ppp default local group radius

aaa authentication ppp modem group radius

aaa authorization network default local group radius 

aaa accounting network default start-stop group radius

aaa session-id common

ip subnet-zero

ip tcp path-mtu-discovery

ip cef

!

! 

ip vrf test

 rd 77:77

 route-target export 77:77

 route-target import 77:77

!

virtual-profile if-needed

virtual-profile virtual-template 8

isdn switch-type primary-net5

!

!

!

controller E1 2/0

 framing NO-CRC4 

 pri-group timeslots 1-31

!

interface Loopback1

 ip address 10.10.8.1 255.255.255.240

!

interface FastEthernet0/0

ip address x.x.x.x x.x.x.x.

 no ip redirects

 no ip unreachables

 ip nat inside

 ip virtual-reassembly

 duplex auto

 speed auto

 no cdp enable

!

interface Serial2/0:15

 no ip address

 no ip redirects

 no ip unreachables

 encapsulation ppp

 dialer pool-member 1

 isdn switch-type primary-net5

 isdn incoming-voice modem

 no cdp enable

 ppp authentication chap callin

 ppp multilink

!

interface Virtual-Template8

 description test

 ip unnumbered Loopback1

 ppp authentication chap callin

 ppp multilink

!

interface Dialer2

 ip vrf forwarding test

 ip unnumbered Loopback1

 no ip redirects

 no ip unreachables

 encapsulation ppp

 ip ospf demand-circuit

 dialer pool 1

 dialer idle-timeout 10 either

 dialer string xxxxxxx

 dialer-group 1

 peer default ip address pool vrft

 no cdp enable

 ppp authentication chap callin

 ppp multilink

!

interface Group-Async1

 description Dial-in modem pool

 ip unnumbered FastEthernet0/0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 encapsulation ppp

 no ip route-cache cef

 no ip route-cache

 ip tcp header-compression

 no ip mroute-cache

 dialer in-band

 dialer idle-timeout 9000

 dialer-group 1

 async mode dedicated

 peer default ip address pool modem

 no fair-queue

 ppp authentication chap modem

 group-range 33 56

!

router ospf 1

 router-id x.x.x.x.

 log-adjacency-changes

 redistribute connected subnets

 network x.x.x.x x.x.x.x area 2

 network x.x.x.x x.x.x.x area 0.0.0.0

!

ip local pool modem x.x.x.x x.x.x.x

ip local pool isdn x.x.x.x x.x.x.x

ip local pool vrft 10.10.8.2 10.10.8.8

no ip http server

ip classless

!

logging trap debugging

dialer-list 1 protocol ip permit

snmp-server engineID local 0000000902000004274CFB00

snmp-server view cutdown internet included

snmp-server view cutdown ip.21 excluded

snmp-server community public RO 10

snmp-server enable traps tty

no cdp run

route-map isdn permit 10

 match ip address 2

!

!

radius-server host 195.2.96.22 auth-port 1645 acct-port 1646

radius-server retransmit 10

radius-server timeout 2

radius-server key 7 15081E07172F272D3B64

radius-server vsa send accounting

radius-server vsa send authentication

!

end

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-nas/attachments/20040831/c3944ae0/attachment-0001.html

More information about the cisco-nas mailing list